Skip to Content

I really just wanted to archive this somewhere else than in my mailbox where it keeps getting lost even though I’m asked for it every 2 years or so 🙂

2014-04-09: Updated with tested Active Directory errorcodes

Sometimes actions fail, but the reason is that everything is OK. Such as adding a member to a group when the member is already a member of the group. (Always wanted to write that!). Or you just don’t care that the action failed, you want the workflow to continue anyway and not end up in the On Fail event just yet.

If that’s the case the Call script in case of error option is just what you need. This example is from 2010 but I believe it should still work. I don’t have an LDAP server to test it on at the moment so please let me know if its broken. It accesses some specific objects to get the actual error so its quite nice to have around. You don’t need to make it this advanced though. The only things you really need are:

– Check the error

– If you want the workflow to go on, execute uSkip(1,1);

– If you want to end the workflow and go to whatever On Error/Chain Error events exists, just exit the script or verify it using uSkip(1,2);

uSkip sets the exit state, first parameter is 1 for entry, 2 for pass (use in jobs only, not provision actions). The second parameter is state where 1 is OK, 2 is FAILED.

customErrorHandler'.png


// Main function: myLdapErrorHandler 
// 
// Some LDAP servers reports an ERROR if a a multivalue add or del operation tries to add an existing or delete a non-existing value 
// This occurs for uniquemember, memberof and a few other multivalue attributes 
// Because this is reported as an error the workflow will stop... 
// This script checks if reported LDAP Error is
// ADS ADD operation:
//   68 - LDAP_ALREADY_EXISTS
//   Indicates that the add operation attempted to add an entry that already exists, or that the modify operation attempted to
//   rename an entry to the name of an entry that already exists.
// Example: Original mod exceptionjavax.naming.NameAlreadyBoundException: [LDAP: error code 68 - 00000562: ....
// SUN ADD operation:
// 20 - LDAP_TYPE_OR_VALUE_EXISTS
//    Indicates that the attribute value specified in a modify or add operation already exists as a value for that attribute.
// ADS DEL operation:
// 53 - LDAP_UNWILLING_TO_PERFORM
// Indicates that the LDAP server cannot process the request because of server-defined restrictions.
// Example: Exception from Modify operation:javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 00000561: ...
// SUN DEL operation:
//    "LDAP: error code 16"
// and if the errocode matches we set provision status OK so that the workflow can continue. An error has already been
// logged so the runtime logfile will still have the errorcount increased and a red entry in the UI.
// 
// This script must be run as On Error in a To DSA pass 
// 
function myLDAPerrorhandler(Par){
   entry = uGetErrorInfo(); 
   if (entry != null) 
   { 
      UserFunc.uErrMsg(0,"myLDAPerrorhandler: Got data from errorInfo"); 
      attr = entry.firstAttr(); 
      LdapEntry = entry; 
      if (entry.containsKey("err_ModException")) 
      { 
         var exc = entry.get("err_ModException"); 
         var orig = exc.getOriginalException(); 
         if (orig != null) 
         { 
            UserFunc.uErrMsg(0, "myLDAPerrorhandler: Original mod exception" + orig); 
            addSUNPos=Instr(1,orig,"LDAP: error code 20",1); 
            addADSPos=Instr(1,orig,"LDAP: error code 68",1);
            delSUNPos=Instr(1,orig,"LDAP: error code 16",1); 
            delADSPos=Instr(1,orig,"LDAP: error code 53",1); 
            if (addSUNPos > 0 || addADSPos > 0) { 
               UserFunc.uErrMsg(0, "myLDAPerrorhandler: Error on multivalue add for existing value detected, setting provision OK"); 
               UserFunc.uSkip(1,1); 
            } 
            if (delSUNPos > 0 || delADSPos > 0) { 
               UserFunc.uErrMsg(0, "myLDAPerrorhandler: Error on multivalue delete of nonexisting value detected, setting provision OK"); 
               UserFunc.uSkip(1,1); 
            } 
         } 
      } 
   } 
}



Sample output from the Runtime Logs testing this with an Active Directory server:

Fail during ADD to member attriute in ADS because the person is already a member of the group:

09.04.2014 15:06:58 :I:initPass ToDSADirect: Test Add Person To Group

09.04.2014 15:06:58 :E:Failed storing CN=temporaryGroup3,CN=Groups,dc=enormo,dc=inc

09.04.2014 15:06:58 :E:Exception from Mod operation:ToDSADirect.modEntry CN=temporaryGroup3,CN=Groups,dc=enormo,dc=inc failed with NamingException. (LDAP error: The object already exists)

Explanation: [LDAP: error code 68 – 00000562: UpdErr: DSID-031A119B, problem 6005 (ENTRY_EXISTS), data 0

]

Remaining name: CN=temporaryGroup3,CN=Groups,dc=enormo,dc=inc

Resolved name:  – javax.naming.NameAlreadyBoundException: [LDAP: error code 68 – 00000562: UpdErr: DSID-031A119B, problem 6005 (ENTRY_EXISTS), data 0

]; remaining name ‘CN=temporaryGroup3,CN=Groups,dc=enormo,dc=inc’

09.04.2014 15:06:58 :I:myLDAPerrorhandler: Got data from errorInfo

09.04.2014 15:06:58 :I:myLDAPerrorhandler: Original mod exceptionjavax.naming.NameAlreadyBoundException: [LDAP: error code 68 – 00000562: UpdErr: DSID-031A119B, problem 6005 (ENTRY_EXISTS), data 0

]; remaining name ‘CN=temporaryGroup3,CN=Groups,dc=enormo,dc=inc’

09.04.2014 15:06:58 :I:myLDAPerrorhandler: Error on multivalue add for existing value detected, setting provision OK

09.04.2014 15:07:03 :I:exit ToDSADirect

09.04.2014 15:07:03 :I:ToDSA Direct pass completed in 5.363 seconds.

Fail during DEL from member attriute in ADS because the person is not a member of the group:

09.04.2014 15:12:21 :I:initPass ToDSADirect: Test Add Person To Group

09.04.2014 15:12:21 :E:Failed storing CN=temporaryGroup3,CN=Groups,dc=enormo,dc=inc

09.04.2014 15:12:21 :E:Exception from Mod operation:ToDSADirect.modEntry CN=temporaryGroup3,CN=Groups,dc=enormo,dc=inc failed with NamingException. (LDAP error: The server does not handle directory requests)

Explanation: [LDAP: error code 53 – 00000561: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0

]

Remaining name: CN=temporaryGroup3,CN=Groups,dc=enormo,dc=inc

Resolved name:  – javax.naming.OperationNotSupportedException: [LDAP: error code 53 – 00000561: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0

]; remaining name ‘CN=temporaryGroup3,CN=Groups,dc=enormo,dc=inc’

09.04.2014 15:12:21 :I:myLDAPerrorhandler: Got data from errorInfo

09.04.2014 15:12:21 :I:myLDAPerrorhandler: Original mod exceptionjavax.naming.OperationNotSupportedException: [LDAP: error code 53 – 00000561: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0

]; remaining name ‘CN=temporaryGroup3,CN=Groups,dc=enormo,dc=inc’

09.04.2014 15:12:21 :I:myLDAPerrorhandler: Error on multivalue delete of nonexisting value detected, setting provision OK

09.04.2014 15:12:26 :I:exit ToDSADirect

09.04.2014 15:12:26 :I:ToDSA Direct pass completed in 5.373 seconds.

Br,

Chris

To report this post you need to login first.

5 Comments

You must be Logged on to comment or reply to a post.

  1. Ridouan Taibi

    Hi Chris,

    I tried this with ADS but unfortunately uGetErrorInfo function doean’t return the LDAP error, instead the error cannot modify entry + user DN is returned.

    Thanks for sharing this.

    Regards,

    Ridouan

    (0) 
    1. Per Krabsetsve Post author

      Hi,

      Thanks for the update. I got a few minutes to spare today and and now I’ve updated the script with (tested) ADS errorcodes (68 for ADD and 53 for DEL). The intention for this script example is to use it specifically on multivalue add/delete operations and as such the interpretations of thee errorcodes should be fairly safe. I’m sure there’s a usecase or fail situation that returns the same code where you don’t want to ignore the error.

      Br,

      Chris

      (0) 
  2. Simona Lincheva

    Hi Chris,

       I have just implemented your solution and it’s working 🙂 , thanks a lot.

    My suggestion for small optimization is to add a check for deleted/renamed group in AD(if you what to remove/assign a user to already deleted/renamed group in AD).

    BR,

    Simona

    (0) 

Leave a Reply